OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the telemetry aggregation API accepts user-controlled aggregationType, aggregateColumnName, and aggregationTimestampColumnName parameters and interpolates them directly into ClickHouse SQL queries via the .append() method (documented as "trusted SQL"). There is no allowlist, no parameterized query binding, and no input validation. An authenticated user can inject arbitrary SQL into ClickHouse, enabling full database read (including telemetry data from all tenants), data modification, and potential remote code execution via ClickHouse table functions. This vulnerability is fixed in 10.0.23.
The telemetry aggregation API accepts user-controlled parameters: aggregationType, aggregateColumnName, and aggregationTimestampColumnName. These values are directly interpolated into ClickHouse SQL queries using the .append() method, described internally as 'trusted SQL'. The absence of an allowlist, lack of parameterized query binding mechanism, and complete absence of input validation allows an attacker to arbitrarily shape the contents of the executed SQL query. Through appropriately crafted parameter values, it is possible to abuse ClickHouse's built-in table functions to escalate the attack.
An attacker can read telemetric data from all tenants (multi-tenant), modify or delete data in the ClickHouse database, and through ClickHouse table functions potentially execute remote code (RCE) on the server.
OneUptime should be updated to version 10.0.23 or newer, in which the vulnerability has been fixed. Details available in the vendor's references: https://github.com/OneUptime/oneuptime/security/advisories/GHSA-p5g2-jm85-8g35
OneUptime (Hackerbay) in all versions prior to 10.0.23.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HHackerbay Oneuptime
APPHackerbay< 10.0.23
Related vulnerabilities
OneUptime: nieautoryzowany dostęp do endpointów powiadomień i zarządzania numerami
Brak uwierzytelnienia w endpointach workflow w OneUptime (RCE)
Brak uwierzytelnienia w API powiadomień OneUptime — obejście autoryzacji
RCE w OneUptime — command injection przez Playwright w Synthetic Monitor
OneUptime: RCE przez niebezpieczny Playwright sandbox w Synthetic Monitors